National Institute of Standards and Technology announces a review of the Secure Hash Standard (SHS)
June 10, 2022 |
The National Institute of Standards and Technology (“NIST”) has announced a review on FIPS 180-4, Secure Hash Standard (SHS).
In its media release the NIST states:
- SHA-1. In recent years, the cryptanalytic attacks on the SHA-1 hash function have become increasingly severe and practical (see, e.g., the 2020 paper “SHA-1 is a Shambles” by Leurent and Peyrin). NIST therefore plans to remove SHA-1 from a revision of FIPS 180-4 and to deprecate and eventually disallow all uses of SHA-1. The Cryptographic Module Validation Program will establish a validation transition schedule.
- How will this plan impact fielded and planned SHA-1 implementations?
- What should NIST consider in establishing the timeline for disallowing SHA-1?
- Interface. The “Init, Update, Final” interface was part of the SHA-3 Competition submission requirements. Should a revision of FIPS 180-4 discuss the “Init, Update, Final” hash function interface?
The review is quite detailed and, of course, highly technical.
Some interesting issues:
- this Standard relates to specific secure hash algorithms, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
- all of the algorithms:
- are iterative, one-way hash functions that can process a message to produce a condensed representation called a message digest.
- enable the determination of a message’s integrity: any change to the message will, with a very high probability, result in a different message digest. This is used in the generation and verification of digital signatures and message authentication codes, and in the generation of random numbers or bits
- can be described in two stages:
- preprocessing which involves padding a message, parsing the padded message into m-bit blocks, and setting initialization values to be used in the hash computation.
- hash computation which generates a message schedule from the padded message and uses that schedule, along with functions, constants, and word operations to iteratively generate a series of hash values. The final hash value is used to determine the message digest.
- differ most significantly in the security strengths that are provided for the data being hashed.
- differ in terms of the size of the blocks and words of data that are used during hashing or message digest sizes. Figure 1 presents the basic properties of these hash algorithms.